Password protected/encrypted user attributes

I’d like to implement a user attribute that is encrypted by the user’s password which can then be accessed as a client protocol mapper. Here’s my use-case. Future releases of Nextcloud will allow setting a per-user encryption key via SAML:

While I can create a custom attribute for each user in Keycloak, it would be stored in plain-text. I’d like it to be encrypted by the user’s credentials, instead. I don’t think this is currently possible in Keycloak, and I think I can build it, but I thought I’d ask to see if it’s possible (and if not, maybe I could get some pointers).


. . . what about using the following in a Javascript Mapper? It’s not stored anywhere, is it?

exports = keycloakSession.userCredentialManager().getStoredCredentials(realm, user).get(0).getValue();

I know, I know - I should use the getStoredCredentialsStream - I’m just not very good with streams, at the moment (my Java is rusty).

EDIT: Never mind. It looks like it’s stored in the DB in plain-text.

There isn’t any way I can access the POST data from the Javascript Mapper, is there? I’m a PHP guy, and it would be easy to just access the $_POST superglobal. I’m digging around for a getRequest() function or something like that. I don’t think that exists, here.

I managed to find a solution. It required creating a new SAML protocol mapper, password policy provider, adding an event listener, etc. Once I get it fully working, I’ll try to remember to come back and post a link to my code - it works quite well!

Hi, we’re facing a similar problem

If you got it working we’d love to see your implementation as a reference